Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7.exe
Resource
win10v2004-20230915-en
General
-
Target
3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7.exe
-
Size
929KB
-
MD5
8ec79a42d4b0f2035403361b5da3e882
-
SHA1
61a7cb22e4e81d514fd6afa5dbf6ea9a7a61dfe5
-
SHA256
3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7
-
SHA512
e9e88fb8c4e3672b2228f6711939d3d6421caa6a24196513503300ad1a71a222ac56605eab367614b8b7352bc5a17265af441c3416b14fea5df3e98f6413dc70
-
SSDEEP
12288:HMrSy90HaYq8+S8OUSKnnfB2HTXTAXsPNbLeFBtEA4jcSl2AZHZtCymuMjCRMR8H:5ybVvSdKfBeDTnPBeFml2AdZIyRGc
Malware Config
Extracted
redline
kendo
77.91.124.82:19071
-
auth_value
5a22a881561d49941415902859b51f14
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/264-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/264-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/264-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/264-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 3040 x5481510.exe 4664 x5513708.exe 1236 x8841231.exe 456 g3069819.exe 1284 h9166805.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5481510.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x5513708.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x8841231.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 456 set thread context of 264 456 g3069819.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 2808 456 WerFault.exe 91 4044 264 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 5036 wrote to memory of 3040 5036 3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7.exe 88 PID 5036 wrote to memory of 3040 5036 3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7.exe 88 PID 5036 wrote to memory of 3040 5036 3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7.exe 88 PID 3040 wrote to memory of 4664 3040 x5481510.exe 89 PID 3040 wrote to memory of 4664 3040 x5481510.exe 89 PID 3040 wrote to memory of 4664 3040 x5481510.exe 89 PID 4664 wrote to memory of 1236 4664 x5513708.exe 90 PID 4664 wrote to memory of 1236 4664 x5513708.exe 90 PID 4664 wrote to memory of 1236 4664 x5513708.exe 90 PID 1236 wrote to memory of 456 1236 x8841231.exe 91 PID 1236 wrote to memory of 456 1236 x8841231.exe 91 PID 1236 wrote to memory of 456 1236 x8841231.exe 91 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 456 wrote to memory of 264 456 g3069819.exe 92 PID 1236 wrote to memory of 1284 1236 x8841231.exe 98 PID 1236 wrote to memory of 1284 1236 x8841231.exe 98 PID 1236 wrote to memory of 1284 1236 x8841231.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7.exe"C:\Users\Admin\AppData\Local\Temp\3c2d424eb0ce7247e886445f3bee74414d0c3c61b5a47214d8bff84cfe31b3f7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5481510.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5481510.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5513708.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5513708.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8841231.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8841231.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3069819.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3069819.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 5407⤵
- Program crash
PID:4044
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 5526⤵
- Program crash
PID:2808
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9166805.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9166805.exe5⤵
- Executes dropped EXE
PID:1284
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 264 -ip 2641⤵PID:3640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 456 -ip 4561⤵PID:3920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD56802338ca60a7809c04c84ecaa88faf4
SHA1c8d7481b96a8a331ee4c8e2a0883d063400ce0ba
SHA256e6677eb1a32a02fd8e4331fad5c01448b355d32c8d62bba3b15250cfbd6a1fa7
SHA512b63d326e013a6d3e2525e7e26f624566c9aadafd6384f9acda7f72dff08d143ec0927f4179895ae0b9ca046606e44cc60bed53a894c2fb570964af43a5c5bcd3
-
Filesize
827KB
MD56802338ca60a7809c04c84ecaa88faf4
SHA1c8d7481b96a8a331ee4c8e2a0883d063400ce0ba
SHA256e6677eb1a32a02fd8e4331fad5c01448b355d32c8d62bba3b15250cfbd6a1fa7
SHA512b63d326e013a6d3e2525e7e26f624566c9aadafd6384f9acda7f72dff08d143ec0927f4179895ae0b9ca046606e44cc60bed53a894c2fb570964af43a5c5bcd3
-
Filesize
556KB
MD5b31b4a948a2b398f52056dac828782d4
SHA13f9f95939081a6e10c2e7f066baca46caa9b698c
SHA2566d77a77a0e19f276e4c9d6c483dc03c1bca471b0e3de8a783207cd7c17d595c2
SHA5120f44793b53106ce56d3432ff461e43dc28e3240174f8cd4ae5e41b96da54a32db9b87783657a9b0da708531ef3d9bf4d90bb34833e76cb6902d6600a73784f93
-
Filesize
556KB
MD5b31b4a948a2b398f52056dac828782d4
SHA13f9f95939081a6e10c2e7f066baca46caa9b698c
SHA2566d77a77a0e19f276e4c9d6c483dc03c1bca471b0e3de8a783207cd7c17d595c2
SHA5120f44793b53106ce56d3432ff461e43dc28e3240174f8cd4ae5e41b96da54a32db9b87783657a9b0da708531ef3d9bf4d90bb34833e76cb6902d6600a73784f93
-
Filesize
390KB
MD5d326ee5e5ec1b1eafaa788a43a18721d
SHA1baa35b3d1ed53c625ddd8e80f55ce0e740d3e934
SHA256e17a20c93754a7d74155c0326785af6ed2f4e194bba6c7e1f18f2ae9cc280ce6
SHA512bfb00503961875dfd5272221e37aaf6494fd04528593bceab64157fbb240849db1a68619b403bbeb78b9eed76329a7ab7e7337624f9c3fd86718ccb47f0e3dc6
-
Filesize
390KB
MD5d326ee5e5ec1b1eafaa788a43a18721d
SHA1baa35b3d1ed53c625ddd8e80f55ce0e740d3e934
SHA256e17a20c93754a7d74155c0326785af6ed2f4e194bba6c7e1f18f2ae9cc280ce6
SHA512bfb00503961875dfd5272221e37aaf6494fd04528593bceab64157fbb240849db1a68619b403bbeb78b9eed76329a7ab7e7337624f9c3fd86718ccb47f0e3dc6
-
Filesize
364KB
MD50cac19a90e4495a941516c4d463afb0d
SHA1657430e558923c3abc5afa6d8e3396fd12c0b582
SHA256415f80d4824b985faf2f33a865e59280c0c13e8b5fa9e3e66b53b279261dd6e0
SHA512a32983466c3d799a2426ea527a9172c0c9e824059d296ea1dfda9273e9f9285484b5f62461398407a57ff7e2369156b03bed0047ae257c2ffd1ea6027cf64bfb
-
Filesize
364KB
MD50cac19a90e4495a941516c4d463afb0d
SHA1657430e558923c3abc5afa6d8e3396fd12c0b582
SHA256415f80d4824b985faf2f33a865e59280c0c13e8b5fa9e3e66b53b279261dd6e0
SHA512a32983466c3d799a2426ea527a9172c0c9e824059d296ea1dfda9273e9f9285484b5f62461398407a57ff7e2369156b03bed0047ae257c2ffd1ea6027cf64bfb
-
Filesize
174KB
MD54510646db9569fbb1ed02ca9b0c57218
SHA115aaa76b732d2a79960820c1c07c124bb278df2c
SHA256c3aaa67faac5f8bd367aabfbe695ca20b9b94cfbcf9c34c6bd05d557d2c5bf3c
SHA51229bc344f736696822d7f9b84fc8c93e9e75c1009a1acd941e188ea113204c1615a91808486698212bdf2ca0c312791e24830d18e7244bf8233011c3d0163bd7e
-
Filesize
174KB
MD54510646db9569fbb1ed02ca9b0c57218
SHA115aaa76b732d2a79960820c1c07c124bb278df2c
SHA256c3aaa67faac5f8bd367aabfbe695ca20b9b94cfbcf9c34c6bd05d557d2c5bf3c
SHA51229bc344f736696822d7f9b84fc8c93e9e75c1009a1acd941e188ea113204c1615a91808486698212bdf2ca0c312791e24830d18e7244bf8233011c3d0163bd7e